Systems and methods herein generally relate to cryptography and security, and more particularly, to secure authorizations using independent communications and different one-time-use encryption keys for each party to a transaction.
Transactions in cyberspace are commonplace, but they are not always secure. There is an old oil industry adage: “To be successful, you need to control either the pipelines or the product.” In cyberspace, the products are flowing, but the pipelines are leaking. To date, the risk is getting information securely from point A to point B and requiring it to be stored securely at all points; however, this does not address the real transactional or security issues.
The desire to secure and finalize transactions in cyberspace—both payment and non-payment transactions—is an issue that impacts everyone. Government agencies and security experts are encouraging users to use more sophisticated (i.e., “more complicated”) passwords, to not use the same password for different sites, and to change all passwords on a regular basis. This stops short, however, of fixing the problem because passwords identify a user, not the person. And, most of what is being proposed is “mitigation”—extra steps (and related costs) intended to make payment and non-payment transactions in cyberspace “more secure;” however, breaches in security still occur, adding tremendous costs for all parties involved without actually securing or finalizing the transactions.
Transactions in cyberspace (cyber-transactions) can be divided into two basic types: those involving payments through a bank or payment network (“cyber-payment transactions”) and those that do not necessarily involve payments through a bank or payment network payment (“non-payment cyber-transactions”). Cybersecurity, or the lack of it, is a problem, and the threats posed by this problem are both real and pervasive, so much so, that the lack of cybersecurity has become a form of accepted “toll” that all organizations and individuals must pay for accessing the information highway.
The inability to actually identify the parties to transactions in cyberspace and provide those parties with tools to actually bind each other to such transactions is at the root of the problem. Merchants experience this every time they are faced with a bank chargeback for a CNP (“card not present”) transaction where the cardholder has denied the charge. Whether this is the result of fraud, friendly-fraud, or the result of a hacked system, is not the greatest issue. The issue is that someone has to pay; and, more times than not, that someone is the merchant, because the terms of the merchant's agreement for the acceptance of payment cards for transactions includes the cardholder being present and signing on the receipt. Without this signature, the merchant is liable for the transaction. The same holds true for non-purchase transactions. An intrusion by a non-verified, non-authorized person can be costly; and, someone has to pay the costs.
The problems that cyber-transactions present go well beyond signatures, and identity verifications, however. In general, for a transaction to be valid, certain conditions are established. As a general rule, these include the parities to a transaction being actually identified; their presence during the transaction being actually established; their agreement to and understanding of the transaction (a classic reason for a valid signature) being actually established; and the parties' agreement to be bound by the terms of the agreement/transaction (e.g., by a valid signature). As the history of cyberspace has demonstrated, failure to accomplish any of these steps has potential consequences, generating higher risks and adding costs.